Skip to main content

EKS Audit Log Integration Using CloudFormation

Overview

To complete the integration, you must complete the following steps:

  1. Create an integration in the Lacework Console.
  2. Instrument each EKS cluster for the EKS integration created in Step 1.
    • Enable EKS logs on the clusters you want to integrate
    • Integrate EKS clusters

Prerequisites

You must enable audit logging on the clusters that you want to integrate. You can do this via the AWS CLI using the following command:

aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

Create an Integration in the Lacework Console

Completing the steps in this section runs the first of two CloudFormation templates. You will run the second when you instrument EKS clusters.

To create the integration, you can either Run the CloudFormation template or Download the CloudFormation template. If you have multiple accounts with distributed ownership, you may want to use the Download option.

Follow the steps for your chosen option.

  1. Log in to the Lacework Console.
  2. Go to Settings > Integrations > Cloud account.
  3. Click + Add New.
  4. Click Amazon Web Services and select CloudFormation.
  5. Click Next.
  6. Select EKS Audit Log.
  7. Click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page.
  8. Review the Create stack page and click Next. The template populates the Amazon S3 URL for you.
  9. Review the Specify stack details page and click Next. The template populates ResourceNamePrefix.
  10. On the Configure stack options page, click Next.
  11. Verify the information on the Review page and click Submit.

Instrument EKS Clusters

Enable EKS Logs

Ensure audit logging is enabled on the clusters that you want to integrate. The CloudFormation template does not currently support this action.

For more information, go to Amazon EKS control plane logging.

Integrate EKS Clusters

Completing the steps in this section instruments each EKS cluster in the EKS integration you just created by running the second of two CloudFormation templates. You ran the first when you created the integration.

To instrument EKS clusters, you can either Run the CloudFormation template or Download the CloudFormation template. If you have multiple accounts with distributed ownership, you may want to use the Download option.

Follow the steps for your chosen option.

  1. In the Lacework Console, go to Settings > Integrations > Cloud accounts.
  2. Click the EKS Audit Log integration.
  3. Click Run CloudFormation Template. If you are already logged in to your AWS account, this redirects you to the Create stack page.
  4. Review the Create stack page and click Next. The template populates theAmazon S3 URL for you.
  5. On the Specify stack details page, provide the EKSClusterName. The template populates the FirehoseARN. If desired, update the ResourceNamePrefix. When finished, click Next.
  6. On the Configure stack options page, click Next.
  7. Verify the information on the Review page and click Submit.

Verify the Integration is Set Up

To verify logs are flowing from the CloudWatch log group to the S3 bucket, look for objects created in the S3 bucket under the prefix eks_audit_logs/<aws-account-id>/.

To verify SNS notifications for the creation of S3 objects:

  • Create an email subscription on the SNS topic and ensure you confirm the subscription by clicking the link sent to your inbox. Every time a log is written, you should receive an email with the key details.
  • Logs are created every 5 minutes.